CVE-2024-13052
Published: 27 January 2025
Description
The Dental Optimizer Patient Generator App WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
Security Summary
CVE-2024-13052 is a reflected cross-site scripting (XSS) vulnerability in the Dental Optimizer Patient Generator App WordPress plugin through version 1.0. The plugin does not sanitize and escape a parameter before outputting it back in the page, enabling attackers to inject malicious scripts. Published on 2025-01-27, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and maps to CWE-79.
The vulnerability can be exploited remotely by unauthenticated attackers with no privileges required, though it demands user interaction. An attacker crafts a malicious link containing an XSS payload in the vulnerable parameter and tricks a high-privilege user, such as an admin, into accessing it via the browser. Successful exploitation executes the script in the victim's session context, potentially allowing session hijacking, data theft, or unauthorized actions, with low impacts on confidentiality, integrity, and availability but changed scope.
Mitigation details are available in the WPScan advisories at https://wpscan.com/vulnerability/671d5eef-c496-4047-9d01-8ab8a94cdc72/.
Details
- CWE(s)